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APPELLANTS' REPLY BRIEF (37 CFR 1.193) 



Sir: 

Appellants now present this Reply Brief in response to the Examiner's Answer of 
November 15, 2006 and make the following responses to the Examiner's arguments. 
Appellants' Reply Brief responds to several of the arguments made by the Examiner in the 
Examiner's Answer. For a full discussion of Appellants' arguments, see Appellants' Appeal 
Brief, filed August 25, 2006. 



A. STATUS OF CLAIMS 

The Examiner's Answer states in Section "3" that "The statement of the status of the 
claims contained in the brief is incorrect. A correct statement of the status of the claims is as 
follows:'" The Examiner's Answer, however, does not include a following statement. Appellants' 
have reviewed the statement of status of the claims contained in Appellants' Appeal Brief, and 
assert that the statement is correct. 
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B. APPELLANTS' CLAIMS 1, 5, 8, 11, 14, 18, AND 28-30 ARE PATENTABLE OVER 
LEWIS IN VIEW OF LOCKHART. 

a) Configuration Settings 

In the Examiner's Answer, the Examiner cites that "the Examiner is relying on analogous 
prior art for the purpose of rejecting the subject matter at issued and proceeds to deduce that 
Lewis's "precursors" are analogous to Lockhart's "predetermined thresholds" in order to suggest 
that the Examiner is viewing Appellants' independent claims as a whole. As discussed below, 
Lewis's "precursors" are clearly not analogous to Lockhart's "predetermined thresholds" and, as 
a result, the Examiner does not view Appellants' independent claim as a whole. Rather, the 
Examiner dissects Appellants' independent claims into discrete elements and evaluates the 
elements in isolation, which is not allowed under MPEP 2106 as stated below: 

"Finally, when evaluating the scope of a claim, every limitation in the claim must 
be considered. Office personnel may not dissect a claimed invention into 
discrete elements and then evaluate the elements in isolation. Instead, the claim as 
a whole must be considered." 

As discussed in detail in Appellants' Appeal Brief, Lewis's "attack precursors" are 
identified events that occur prior to an attack. Lewis states, "...the variables icmpInMsgs, 
icmpInEchos, icmpInEchoReps, and icmpOutEchos are key variables for detecting Ping Flood 
Attacks since they are related to the inflows of pings (ICMP Echo Request messages) in the 
target machine'" (page 6, para. 75). Lewis never teaches or suggests that these identified events 
are a numerical value, but rather an actual event as shown in the excerpt above. 

In contrast, Lockhart's "predetermined threshold" is, in fact, a numerical value that is used 
in the determination of whether Lockhart received a number of requests from a particular source 
IP address that exceeds the predetermined threshold. As can be seen, Lockhart's "predetermined 
threshold" is in no way analogous to Lewis's "identified events" and, therefore, they may not be 
interchanged. Since the Examiner does, in fact, interchange these two items, the Examiner does 
not view Appellants' invention as a whole, but rather dissects Appellants' independent claims 
into discrete elements and evaluates the elements in isolation. 
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b) Lockhart never teaches changing the predetermined threshold based upon attack 
simulations. 

In the Examiner's Answer, the Examiner states that " 'Lockhart 's "predetermined 
threshold" changed under attack." The Examiner, however, did not provide a location in 
Lockhart that shows Lockhart teaching such limitation. After further review of Lockhart, 
Lockhart never teaches or suggests changing the predetermined threshold before, during, or after 
an attack. Rather, Lockhart merely compares a number of requests with the predetermined 
threshold and accepts or rejects the request accordingly. 

c) Lewis's precursors are not based upon a number of packets received from a particular 
source IP address. 

In the Examiner's Answer, the Examiner states that "it is well known in the art of 
networking that data can be collected upon a number of packets received from a particular 
source IP address" and implies that Lewis collects events in such a manner. The issue is not that 
Lewis collects a number of packets received from a particular source IP address, but that Lewis's 
precursors are not based upon a number of packets received from a particular source IP address 
(a quantity of packets). In fact, Lewis states, "Recall that it is not known which ones are the 
attacking machines..." (page 7, para. 87). Since Lewis knows that the event IP addresses are 
irrelevant to the invention because attacks can come from multiple machines, and since Lewis is 
interested in only identifying the type of event (discussed above), Lewis never teaches or 
suggests collecting event information based upon a source IP address. 

The Examiner also states that "it would have been obvious to combine the teaching of 
Lewis et al of collecting data to determine a precursor with the teaching of Lockhart et al of 
collecting data based upon IP address to teach the claimed invention." As discussed above, 
Lewis's precursors are not a numerical value, and are not analogous with Lockhart's 
predetermined threshold. Again, the Examiner's statement stems from dissecting Appellants' 
independent claims into discrete elements and evaluating the elements in isolation, which is not 
allowed under MPEP 2106. 
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C. APPLELL ANTS ' CLAIM 27 IS PATENTABLE OVER PTACEK IN VIEW OF 
LOCKHART AND FURTHER IN VIEW OF BARRETT 

In the Examiner's Answer, the Examiner states that "It would have been obvious to one 
with ordinary skill in the art to conclude that Ptacek is doing simulated network attack in order 
to test the vulnerabilities of the network and to adjust the configuration settings." Appellants', 
however, are not claiming merely adjusting a configuration setting but, rather Appellants' 
limitation claims "adjusting a server configuration setting based upon the analysis, wherein the 
adjusted server configuration setting is selected from the group consisting of the stored packet 
limit and the stored socket limit ." Appellants assert that the Examiner's suggestion that this 
detail limitation would have been obvious to one with ordinary skill in the art is unfounded, 
especially since Ptacek's simulations do not send either 1) an excessive amount of packets 
(corresponding to the stored packet limit) from a particular source IP address or 2) request an 
excessive amount of sockets (corresponding to the stored socket limit) as claimed by Appellants. 

As described above, and as further discussed in Appellants' Appeal Brief, Lewis in view 
of Lockhart simply do not teach each and every element of Appellants' independent claims 1,8, 
and 14 as required to support a rejection under 35 U.S.C. § 103(a). In addition, and as further 
discussed in Appellants' Appeal Brief, Ptacek in view of Lockhart and further in view of Barrett 
simply do not teach each and every element of Appellants' independent claim 27 as required to 
support a rejection under 35 U.S.C. § 103(a). Moreover, as explained in Appellants' Appeal 
Brief, the prior art cited by the Examiner does not teach or suggest Appellants' other dependent 
claims, which are not discussed in this reply. Accordingly, each of Appellants' independent 
claims 1, 8, and 14 is allowable over Lewis in view of Lockhart, and Appellants' independent 
claim 27 is allowable over Ptacek in view of Lockhart and further in view of Barrett. Each of the 
remaining claims depends, directly or indirectly, on one of the independent claims and is 
therefore allowable for at least the same reasons. 
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Conclusion 

For the foregoing reasons, Appellants respectfully submit that claims 1, 5, 8, 11, 14, 18, 
and 21-30 are patentable, and, accordingly, Appellants respectfully request that the Examiner's 
claim rejections be reversed and claims 1,5,8, 11, 14, 18, and 21-30 be allowed. 

Respectfully submitted, 



By /Leslie A. Van Leeuwen, Reg. No. 42,196/ 
Leslie A. Van Leeuwen, Reg. No. 42,196 
Van Leeuwen & Van Leeuwen 
Attorney for Appellants 
Telephone: (512) 301-6738 
Facsimile: (512)301-6742 
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